KeyName within a Digital Signature - Configurable?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

KeyName within a Digital Signature - Configurable?

jaybytez
I am currently working with CXF/WSS4J to try and produce a digital signature.

I believe I have all the correct options in place with the following code:

Spring Context
    <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
	  <constructor-arg>
            <map>
               <entry key="action" value="Signature"/>
               <entry key="user" value="username"/>
               <entry key="signatureUser" value="username" />
               <entry key="signatureKeyIdentifier" value="X509KeyIdentifier"/>
               <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>  
               <entry key="signaturePropFile" value="signature-wss4j.properties"/>
				<entry key="passwordCallbackRef">
					<bean class="com.foo.PasswordCallbackHandler">
						<property name="password" value="password"/>
					</bean>
                </entry>
            </map>
         </constructor-arg>
      </bean>
          signature-wss4j.properties
	org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
	org.apache.ws.security.crypto.merlin.keystore.type=jks
	org.apache.ws.security.crypto.merlin.keystore.password=password
	org.apache.ws.security.crypto.merlin.keystore.alias=username
	org.apache.ws.security.crypto.merlin.file=keystore.jks

When I submit my request using the previous interceptor configuration which is configured via the org.apache.cxf.jaxws.JaxWsProxyFactoryBean, the SOA product we are submitting to fails to auth the signature (and says "Failed to gather credentials").

The products documentation states the following:


From the SOA Security Manager manual:
Required XML Document Elements for XML-DSIG Authentication 
For the XML-DSIG authentication scheme to work, the XML document sent by the web service consumer must contain the following elements:
<Signature> 
As the parent element for the XML signature, it specifies all information relevant to the digital signature.  To verify the signature, SOA Security Manager requires that an X.509 certificate be part of the <Signature> element in the XML document. Because the Policy Server does not interact with a Certificate Authority for this scheme, you must configure a certificate mapping that maps the Issuer DN in the certificate to a corresponding entry in the referenced user store. For LDAP user directories only, you can configure the certificate mapping to require that a copy of the certificate is in the user store to be compared against the certificate in the document.
<KeyInfo> 
This element specifies the key needed to validate the signature. This information may include keys, names, and certificates for the sender. For the Policy Server to authenticate a client, this element must have enough information to determine the public key that created the signature.
<KeyName> 
This is a child element of <KeyInfo>; it contains a string value that identifies the key to the recipient of the XML document. This string could be a key index, a distinguished name (DN), or an email address, for example.


So the thought is that I am missing KeyName in the signature that is getting generated, but I haven't found any properties that would let me set that value in the KeyInfo.  Are there properties that would give me control of this?

I have read through the CXF documentation, Spring Web Services (for WSS4J examples), WSS4J, and FuseSource Security docs...but I can't seem to find what I am looking for.

Thanks for the time and help,

Jay Blanton
Reply | Threaded
Open this post in threaded view
|

Re: KeyName within a Digital Signature - Configurable?

Glen Mazza (Talend)
Here's my blog entry on this:
http://www.jroller.com/gmazza/entry/cxf_x509_profile, but I haven't
tried signature without encryption, I don't know offhand whether it's
possible.

Glen

On 08/01/2011 04:40 PM, jaybytez wrote:

> I am currently working with CXF/WSS4J to try and produce a digital signature.
>
> I believe I have all the correct options in place with the following code:
>
> *Spring Context*
>
>      <bean id="wss4jOutInterceptor"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
>              <map>
>                 <entry key="action" value="Signature"/>
>                 <entry key="user" value="username"/>
>                 <entry key="signatureUser" value="username" />
>                 <entry key="signatureKeyIdentifier"
> value="X509KeyIdentifier"/>
>                 <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
>                 <entry key="signaturePropFile"
> value="signature-wss4j.properties"/>
> <entry key="passwordCallbackRef">
> <bean class="com.foo.PasswordCallbackHandler">
> <property name="password" value="password"/>
> </bean>
>                  </entry>
>              </map>
>           </constructor-arg>
>        </bean>
>
> *signature-wss4j.properties*
>
>
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.password=password
> org.apache.ws.security.crypto.merlin.keystore.alias=username
> org.apache.ws.security.crypto.merlin.file=keystore.jks
>
>
> When I submit my request using the previous interceptor configuration which
> is configured via the org.apache.cxf.jaxws.JaxWsProxyFactoryBean, the SOA
> product we are submitting to fails to auth the signature (and says "Failed
> to gather credentials").
>
> The products documentation states the following:
>
> /
>  From the SOA Security Manager manual:
> *Required XML Document Elements for XML-DSIG Authentication*
> For the XML-DSIG authentication scheme to work, the XML document sent by the
> web service consumer must contain the following elements:
> *<Signature>*
> As the parent element for the XML signature, it specifies all information
> relevant to the digital signature.  To verify the signature, SOA Security
> Manager requires that an X.509 certificate be part of the<Signature>
> element in the XML document. Because the Policy Server does not interact
> with a Certificate Authority for this scheme, you must configure a
> certificate mapping that maps the Issuer DN in the certificate to a
> corresponding entry in the referenced user store. For LDAP user directories
> only, you can configure the certificate mapping to require that a copy of
> the certificate is in the user store to be compared against the certificate
> in the document.
> *<KeyInfo>*
> This element specifies the key needed to validate the signature. This
> information may include keys, names, and certificates for the sender. For
> the Policy Server to authenticate a client, this element must have enough
> information to determine the public key that created the signature.
> *<KeyName>*
> This is a child element of<KeyInfo>; it contains a string value that
> identifies the key to the recipient of the XML document. This string could
> be a key index, a distinguished name (DN), or an email address, for
> example./
>
> So the thought is that I am missing KeyName in the signature that is getting
> generated, but I haven't found any properties that would let me set that
> value in the KeyInfo.  Are there properties that would give me control of
> this?
>
> I have read through the CXF documentation, Spring Web Services (for WSS4J
> examples), WSS4J, and FuseSource Security docs...but I can't seem to find
> what I am looking for.
>
> Thanks for the time and help,
>
> Jay Blanton
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/KeyName-within-a-Digital-Signature-Configurable-tp4656619p4656619.html
> Sent from the cxf-user mailing list archive at Nabble.com.


--
Glen Mazza
Talend (http://www.talend.com/ai)
blog: http://www.jroller.com/gmazza


Reply | Threaded
Open this post in threaded view
|

Re: KeyName within a Digital Signature - Configurable?

coheigea
Administrator
In reply to this post by jaybytez
It's not possible to specify a KeyName by configuration at the moment.
The only supported values are (from
http://ws.apache.org/wss4j/config.html):

DirectReference
IssuerSerial
X509KeyIdentifier
SKIKeyIdentifier
EmbeddedKeyName
Thumbprint
EncryptedKeySHA1

You can send configure KeyName's programmatically though.

Colm.

On Mon, Aug 1, 2011 at 9:40 PM, jaybytez <[hidden email]> wrote:

> I am currently working with CXF/WSS4J to try and produce a digital signature.
>
> I believe I have all the correct options in place with the following code:
>
> *Spring Context*
>
>    <bean id="wss4jOutInterceptor"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>          <constructor-arg>
>            <map>
>               <entry key="action" value="Signature"/>
>               <entry key="user" value="username"/>
>               <entry key="signatureUser" value="username" />
>               <entry key="signatureKeyIdentifier"
> value="X509KeyIdentifier"/>
>               <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
>               <entry key="signaturePropFile"
> value="signature-wss4j.properties"/>
>                                <entry key="passwordCallbackRef">
>                                        <bean class="com.foo.PasswordCallbackHandler">
>                                                <property name="password" value="password"/>
>                                        </bean>
>                </entry>
>            </map>
>         </constructor-arg>
>      </bean>
>
> *signature-wss4j.properties*
>
>
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>        org.apache.ws.security.crypto.merlin.keystore.type=jks
>        org.apache.ws.security.crypto.merlin.keystore.password=password
>        org.apache.ws.security.crypto.merlin.keystore.alias=username
>        org.apache.ws.security.crypto.merlin.file=keystore.jks
>
>
> When I submit my request using the previous interceptor configuration which
> is configured via the org.apache.cxf.jaxws.JaxWsProxyFactoryBean, the SOA
> product we are submitting to fails to auth the signature (and says "Failed
> to gather credentials").
>
> The products documentation states the following:
>
> /
> From the SOA Security Manager manual:
> *Required XML Document Elements for XML-DSIG Authentication*
> For the XML-DSIG authentication scheme to work, the XML document sent by the
> web service consumer must contain the following elements:
> *<Signature>*
> As the parent element for the XML signature, it specifies all information
> relevant to the digital signature.  To verify the signature, SOA Security
> Manager requires that an X.509 certificate be part of the <Signature>
> element in the XML document. Because the Policy Server does not interact
> with a Certificate Authority for this scheme, you must configure a
> certificate mapping that maps the Issuer DN in the certificate to a
> corresponding entry in the referenced user store. For LDAP user directories
> only, you can configure the certificate mapping to require that a copy of
> the certificate is in the user store to be compared against the certificate
> in the document.
> *<KeyInfo>*
> This element specifies the key needed to validate the signature. This
> information may include keys, names, and certificates for the sender. For
> the Policy Server to authenticate a client, this element must have enough
> information to determine the public key that created the signature.
> *<KeyName>*
> This is a child element of <KeyInfo>; it contains a string value that
> identifies the key to the recipient of the XML document. This string could
> be a key index, a distinguished name (DN), or an email address, for
> example./
>
> So the thought is that I am missing KeyName in the signature that is getting
> generated, but I haven't found any properties that would let me set that
> value in the KeyInfo.  Are there properties that would give me control of
> this?
>
> I have read through the CXF documentation, Spring Web Services (for WSS4J
> examples), WSS4J, and FuseSource Security docs...but I can't seem to find
> what I am looking for.
>
> Thanks for the time and help,
>
> Jay Blanton
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/KeyName-within-a-Digital-Signature-Configurable-tp4656619p4656619.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

http://coheigea.blogspot.com/
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Context injection when using "request scoped" beans

Clint Dovholuk
Hi all,

I have followed the instructions at http://cxf.apache.org/docs/jaxrs-services-configuration.html to configure my jax-rs service as request scoped, created the simple custom factory as described but the @Context (org.apache.cxf.jaxrs.ext.MessageContext) does not seem to be getting set when I switched from singleton to request scope even though I followed the documentation which said to use serviceFactories because this is a known issue. (in the paragraph beginning with: "The request-scoped service bean instances [...] are not actually available at the initialization time thus one limitation of the above configuration is that it is not possible to inject JAX-RS contexts into these service beans")

What might I be doing wrong? Any guidance is greatly appreciated. I could provide sample config files / classes if that'd help?

Thanks,
-Clint


 
Reply | Threaded
Open this post in threaded view
|

Re: KeyName within a Digital Signature - Configurable?

jaybytez
In reply to this post by coheigea
Is there a document or one of the specs that discusses the differences between:

DirectReference
IssuerSerial
X509KeyIdentifier
SKIKeyIdentifier
EmbeddedKeyName
Thumbprint
EncryptedKeySHA1

Thanks for your help and time,

Jay
Reply | Threaded
Open this post in threaded view
|

Re: Context injection when using "request scoped" beans

Sergey Beryozkin
Administrator
In reply to this post by Clint Dovholuk
Hi

On Tue, Aug 2, 2011 at 3:35 PM, Clint Dovholuk <[hidden email]> wrote:
> Hi all,
>
> I have followed the instructions at http://cxf.apache.org/docs/jaxrs-services-configuration.html to configure my jax-rs service as request scoped, created the simple custom factory as described but the @Context (org.apache.cxf.jaxrs.ext.MessageContext) does not seem to be getting set when I switched from singleton to request scope even though I followed the documentation which said to use serviceFactories because this is a known issue. (in the paragraph beginning with: "The request-scoped service bean instances [...] are not actually available at the initialization time thus one limitation of the above configuration is that it is not possible to inject JAX-RS contexts into these service beans")
>
> What might I be doing wrong? Any guidance is greatly appreciated. I could provide sample config files / classes if that'd help?
>
Which CXF version are you using ? That should work for 2.4.1. Some
users have reported that the injection works for request-scope
singletons...
Cheers, Sergey

> Thanks,
> -Clint
>
>
>
>



--
Sergey Beryozkin

http://sberyozkin.blogspot.com
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: Context injection when using "request scoped" beans

Clint Dovholuk
Sadly we are currently constrained to using 2.2.12 currently.  Would this have been fixed between 2.2.12 and 2.4.1 or should it have worked in 2.2.12 as well?

Thanks for your reply,
-Clint

Sent from my Dell Precision T1500

-----Original Message-----
From: Sergey Beryozkin [mailto:[hidden email]]
Sent: Tuesday, August 02, 2011 2:30 PM
To: [hidden email]
Subject: Re: Context injection when using "request scoped" beans

Hi

On Tue, Aug 2, 2011 at 3:35 PM, Clint Dovholuk <[hidden email]> wrote:
> Hi all,
>
> I have followed the instructions at http://cxf.apache.org/docs/jaxrs-services-configuration.html to configure my jax-rs service as request scoped, created the simple custom factory as described but the @Context (org.apache.cxf.jaxrs.ext.MessageContext) does not seem to be getting set when I switched from singleton to request scope even though I followed the documentation which said to use serviceFactories because this is a known issue. (in the paragraph beginning with: "The request-scoped service bean instances [...] are not actually available at the initialization time thus one limitation of the above configuration is that it is not possible to inject JAX-RS contexts into these service beans")
>
> What might I be doing wrong? Any guidance is greatly appreciated. I could provide sample config files / classes if that'd help?
>
Which CXF version are you using ? That should work for 2.4.1. Some
users have reported that the injection works for request-scope
singletons...
Cheers, Sergey

> Thanks,
> -Clint
>
>
>
>



--
Sergey Beryozkin

http://sberyozkin.blogspot.com
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: Context injection when using "request scoped" beans

Sergey Beryozkin
Administrator
Hi Clint

On Tue, Aug 2, 2011 at 7:53 PM, Clint Dovholuk <[hidden email]> wrote:
> Sadly we are currently constrained to using 2.2.12 currently.  Would this have been fixed between 2.2.12 and 2.4.1 or should it have worked in 2.2.12 as well?
>
It was fixed for 2.4.1 only based on the feedback from one of the
users. I'm not sure but may be you can get MessageContext injected
from Spring AOP handlers somehow in 2.2.12 ? If it's possible in
Spring AOP to set some properties on a given bean before the
invocation, then it might be an option.
CXF PhaseIntercepterChain.getCurrentMessage() will give the current
Message  and it can be used to initialize MessageContext instance as
'new MessageContextImpl(message)'. I can provide more info if you
decide to experiment with this option

Thanks, Sergey

> Thanks for your reply,
> -Clint
>
> Sent from my Dell Precision T1500
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:[hidden email]]
> Sent: Tuesday, August 02, 2011 2:30 PM
> To: [hidden email]
> Subject: Re: Context injection when using "request scoped" beans
>
> Hi
>
> On Tue, Aug 2, 2011 at 3:35 PM, Clint Dovholuk <[hidden email]> wrote:
>> Hi all,
>>
>> I have followed the instructions at http://cxf.apache.org/docs/jaxrs-services-configuration.html to configure my jax-rs service as request scoped, created the simple custom factory as described but the @Context (org.apache.cxf.jaxrs.ext.MessageContext) does not seem to be getting set when I switched from singleton to request scope even though I followed the documentation which said to use serviceFactories because this is a known issue. (in the paragraph beginning with: "The request-scoped service bean instances [...] are not actually available at the initialization time thus one limitation of the above configuration is that it is not possible to inject JAX-RS contexts into these service beans")
>>
>> What might I be doing wrong? Any guidance is greatly appreciated. I could provide sample config files / classes if that'd help?
>>
> Which CXF version are you using ? That should work for 2.4.1. Some
> users have reported that the injection works for request-scope
> singletons...
> Cheers, Sergey
>
>> Thanks,
>> -Clint
>>
>>
>>
>>
>
>
>
> --
> Sergey Beryozkin
>
> http://sberyozkin.blogspot.com
> Talend - http://www.talend.com
>



--
Sergey Beryozkin

http://sberyozkin.blogspot.com
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

RE: Context injection when using "request scoped" beans

Clint Dovholuk
Thanks Sergey - using PhaseInterceptorChain.getCurrentMessage().get("HTTP.REQUEST") seems like it's going to do what I need.

-Clint

Sent from my Dell Precision T1500


-----Original Message-----
From: Sergey Beryozkin [mailto:[hidden email]]
Sent: Tuesday, August 02, 2011 3:09 PM
To: [hidden email]
Subject: Re: Context injection when using "request scoped" beans

Hi Clint

On Tue, Aug 2, 2011 at 7:53 PM, Clint Dovholuk <[hidden email]> wrote:
> Sadly we are currently constrained to using 2.2.12 currently.  Would this have been fixed between 2.2.12 and 2.4.1 or should it have worked in 2.2.12 as well?
>
It was fixed for 2.4.1 only based on the feedback from one of the
users. I'm not sure but may be you can get MessageContext injected
from Spring AOP handlers somehow in 2.2.12 ? If it's possible in
Spring AOP to set some properties on a given bean before the
invocation, then it might be an option.
CXF PhaseIntercepterChain.getCurrentMessage() will give the current
Message  and it can be used to initialize MessageContext instance as
'new MessageContextImpl(message)'. I can provide more info if you
decide to experiment with this option

Thanks, Sergey

> Thanks for your reply,
> -Clint
>
> Sent from my Dell Precision T1500
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:[hidden email]]
> Sent: Tuesday, August 02, 2011 2:30 PM
> To: [hidden email]
> Subject: Re: Context injection when using "request scoped" beans
>
> Hi
>
> On Tue, Aug 2, 2011 at 3:35 PM, Clint Dovholuk <[hidden email]> wrote:
>> Hi all,
>>
>> I have followed the instructions at http://cxf.apache.org/docs/jaxrs-services-configuration.html to configure my jax-rs service as request scoped, created the simple custom factory as described but the @Context (org.apache.cxf.jaxrs.ext.MessageContext) does not seem to be getting set when I switched from singleton to request scope even though I followed the documentation which said to use serviceFactories because this is a known issue. (in the paragraph beginning with: "The request-scoped service bean instances [...] are not actually available at the initialization time thus one limitation of the above configuration is that it is not possible to inject JAX-RS contexts into these service beans")
>>
>> What might I be doing wrong? Any guidance is greatly appreciated. I could provide sample config files / classes if that'd help?
>>
> Which CXF version are you using ? That should work for 2.4.1. Some
> users have reported that the injection works for request-scope
> singletons...
> Cheers, Sergey
>
>> Thanks,
>> -Clint
>>
>>
>>
>>
>
>
>
> --
> Sergey Beryozkin
>
> http://sberyozkin.blogspot.com
> Talend - http://www.talend.com
>



--
Sergey Beryozkin

http://sberyozkin.blogspot.com
Talend - http://www.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: KeyName within a Digital Signature - Configurable?

coheigea
Administrator
In reply to this post by jaybytez
Section 7 - Token References of the SOAP Message Security 1.1
specification gives more information:

http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

Colm.

On Tue, Aug 2, 2011 at 6:21 PM, jaybytez <[hidden email]> wrote:

> Is there a document or one of the specs that discusses the differences
> between:
>
> DirectReference
> IssuerSerial
> X509KeyIdentifier
> SKIKeyIdentifier
> EmbeddedKeyName
> Thumbprint
> EncryptedKeySHA1
>
> Thanks for your help and time,
>
> Jay
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/KeyName-within-a-Digital-Signature-Configurable-tp4656619p4659578.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

http://coheigea.blogspot.com/
Talend - http://www.talend.com